A comment posted on one of my questions the other day raised a question in my head. I know that many site admins appreciate users reporting bugs and security holes, and as a user I appreciate people who do this. I often try to find and report them in sites and apps to which I use frequently or hand sensitive data. I am reasonably certain these sites would be fine with me testing really harmless stuff like reflected XSS and the like but where is the line? How much is it ethical to test without permission? Is it ethical to test the site for sql injection vulnerabilities if I do not actually extract data? Is there a difference between what the law permits and what site administrators will thank you for? What is the best way to ask a site admin what their opinion on this is without scaring them?

Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise.
If this question can be reworded to fit the rules in the help center, please edit the question.

I should clarify that I never test more than I am absolutely sure would be ok with the admin of any given site.
–
735TeslaFeb 16 '14 at 14:19

2 Answers
2

In a web app pentesting course I took recently, the instructor opined that anything you can do passively - looking at the raw source the server and client is exchanging, without changing anything - is on the ethical side of the line. As soon as you insert 'malicious' strings (like SQL injection tests, even those that won't extract any data) or alter things (bypassing client-side validation, for example) you're on the other side of the line, and should have permission before doing so.

(And if you're smart or professional, permission should be documented)

(There's a 13-to-47 mapping between what the law permits and what system administrators approve of, and the mapping shifts regularly)

I agree with gowenfawr. The unfortunate truth is that penetration testing and bug testing do more harm than good in many cases even when you're doing them accidentally. The laws haven't caught up yet, so you could go to jail for just trying to help. Maybe in a couple decades when there are more lawmakers and fortune 500 execs who have learned how to turn on a computer than those who haven't, you won't have to ask this question (even if you're still alive by that time :)).

I'm serious about the "not knowing how to turn on a computer". My uncle certainly doesn't, or he claims he doesn't. Now, he's neither a Fortune 500 person nor lawmaker, but this illustrates the point that there are still people like that.
–
trysisFeb 16 '14 at 16:19